Security Experts Say Data Thieves Are Getting Harder To Fight

Target Co. estimates that at least 70 million individuals may have had information including their "names, mailing addresses, phone numbers or email addresses" stolen in a recent data breach.

Joe Raedle
/ Getty Images

Listen

Listening...

/

Originally published on January 14, 2014 7:53 am

The recent disclosure that a large trove of customer information was stolen from Target, and now also from Neiman Marcus, points to growing vulnerabilities in cybersecurity. And experts say the problem is becoming more difficult to combat.

Avivah Litan, a security analyst at Gartner, says she's hearing from sources at retailers that the holiday-season data breaches were not limited to the 70 million-plus Target customers and untold number of Neiman Marcus shoppers.

"It's clear that there is a new bout of attacks," Litan says. She says data thieves struck several years ago at T.J. Maxx, J.C. Penney and Target and that they could be back, though it might be a different gang of thieves.

Litan blames, in large part, the magnetic payment strip system, which she says is more vulnerable than systems used by other countries around the world that have smart chips embedded in credit cards.

David Burg, leader of cybersecurity at PricewaterhouseCoopers, adds that part of the problem is rapid innovation.

"As we use more and more technologies to collaborate among businesses, or to connect with consumers using mobile devices and other kinds of applications that allow consumers to interface with various corporations, what you have is an attack surface that keeps increasing in size and complexity, making it very hard to secure," Burg says.

Burg says while there is a lot of pressure on retailers to alert consumers, regulatory and law enforcement authorities quickly, often there are delays because criminals work hard to cover their tracks.

"It's very hard to figure out what happened, how it happened and what the impact was," he says.

Tom Kellermann, a managing director at Alvarez & Marsal, a professional services firm, says the latest round of attacks indicate that even companies that invest heavily in sophisticated security systems are seeing new vulnerabilities from new sources — namely, rogue hackers who are buying readily available software tools on the black market.

"There's a massive consulting- and software-based industry that supports the shadow economy that makes it far easier for people who are not sophisticated to leverage these types of attacks," Kellermann says.

Kellermann says organized crime syndicates — especially in Eastern Europe — not only make money selling the malware but also use the hackers' channels to their own ends. They prod at a company's network, often hanging out for months undetected, and then plan their attack.

"From someone who has investigated major breaches in the past, I am suggesting that this campaign in particular definitely went on for months," he says.

The loss to consumers is often time spent getting reimbursement from their credit card companies. But for the retailers, Kellermann says the loss is "incalculable."

It costs about $200 per lost record to cover legal expenses and fines. In addition, as Target recently saw, a retailer's reputation takes a hit, and its stock can fall.

Doug Johnson, who oversees risk management policy for the American Bankers Association, says banks sustain losses as well. He says forensic investigations — as the FBI and Secret Service are conducting now on the Target and Neiman Marcus breaches — take a lot of time. In the end, it's often difficult to prove where the data leaked, and so banks often end up holding the bag.

"[Because] it's the financial institution that reimburses the customer for that fraud," Johnson says.

Target CEO Gregg Steinhafel apologized to customers on CNBC on Monday, saying Target would pay for credit monitoring and vowing to make things right for the consumers.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

RENEE MONTAGNE, HOST:

Neiman Marcus is the latest retailer to disclose it has large troves of customer information stolen. This comes after a major data breach at Target. Security experts say other prominent U.S. stores may have had credit card data hacked as well. The attacks point to growing vulnerabilities in cyber security. NPR's Yuki Noguchi reports.

YUKI NOGUCHI, BYLINE: Avivah Litan says she's hearing from sources at retailers that the data breaches last holiday season were not limited to the 70 million-plus Target customers and untold number of Neiman Marcus shoppers.

AVIVAH LITAN: It's clear that there is a new bout of attacks.

NOGUCHI: Litan is a security analyst at Gartner. She says remember the data thieves who struck several years ago at T.J. Maxx, J.C. Penney and Target?

LITAN: Well, they're back. It may be a different gang, it's not limited to Target. It's not limited to Nieman Marcus. It's per basis.

NOGUCHI: Litan blames, in large part, the magnetic payment strip system, which she says is more vulnerable than systems used by other countries around the world which have smart chips embedded in credit cards. David Burg, leader of cybersecurity at PricewaterhouseCoopers, adds that part of the problem is rapid innovation.

DAVID BURG: As we use more and more technologies to collaborate among businesses, or to connect with consumers using things like mobile devices and other kinds of applications that allow the consumer to interface with various corporations, what you have is an attack surface that keeps increasing in size and complexity, making it very hard to secure.

NOGUCHI: Burg says while there is a lot of pressure on retailers to alert consumers, regulatory and law enforcement officials quickly, often there are delays because criminals work hard to cover their tracks.

BURG: It's very hard to figure out what happened and how it happened and what the impact was.

NOGUCHI: Tom Kellermann is a managing director at Alvarez & Marsal, a professional services firm. He says the latest round of attacks indicate that even companies that invest heavily in sophisticated security systems are seeing new vulnerabilities from new sources, namely rogue hackers who are buying readily available software tools on the black market.

TOM KELLERMAN: There is a massive consulting and software-based industry that supports the shadow economy that is making it far easier for people who are not sophisticated to leverage these types of attacks.

NOGUCHI: Kellermann says organized crime syndicates, especially in Eastern Europe, not only make money selling the malware, they also then use the hackers' channels to their own ends. They prod at a company's network, often hanging out for months undetected, and then plan their attack.

KELLERMAN: These targeted attacks from someone who has investigated major breaches in the past, I am suggesting that this campaign in particular definitely went on for months.

NOGUCHI: The loss to the consumer is often time, getting reimbursement from their credit card company. But for the retailer, Kellermann says...

KELLERMAN: It is incalculable.

NOGUCHI: It costs about $200 per lost record to cover legal expenses and fines. In addition, as Target recently saw, a retailer's reputation takes a hit, and its stock can fall. Doug Johnson oversees risk management policy for the American Bankers Association and he says banks sustain losses as well. He says forensic investigations, as the FBI and Secret Service are conducting now on the Target and Neiman Marcus breaches, take a lot of time.

At the end of it, it's often difficult to prove where the data leaked, so banks often end up holding the bag.

DOUG JOHNSON: 'Cause it's going to be the financial institution that reimburses the customer for that fraud.

NOGUCHI: Target CEO Gregg Steinhafel apologized to customers on CNBC yesterday, saying Target would pay for credit monitoring, and he vowed to make things right for the consumers. Yuki Noguchi, NPR News, Washington.